V8.03.384.2025.06.03
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -66,8 +66,8 @@ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; prelo
|
|||||||
The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely
|
The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely
|
||||||
dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using
|
dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using
|
||||||
non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own
|
non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own
|
||||||
separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies (achieving a security
|
separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies (achieving a ``systemd-analyze security``
|
||||||
rating of 2.6). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use
|
rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use
|
||||||
of both UFW software firewalls and dedicated hardware firewall appliances.
|
of both UFW software firewalls and dedicated hardware firewall appliances.
|
||||||
|
|
||||||
## 1.2. Immutable Source-of-Truth System
|
## 1.2. Immutable Source-of-Truth System
|
||||||
|
|||||||
Reference in New Issue
Block a user